GDPR

The Virtual DPO:

A Compelling Alternative for GDPR Compliance

With the General Data Protection Regulation (GDPR) set to come into force imminently, many companies are scrambling to appoint a data protection officer. But for many organisations, particularly SMEs, a virtual DPO may prove far more effective. Lucy Ingham finds out more from ThinkMarble CEO Andy Miles and head of legal services Robert Wassall

GDPR is almost upon us, and, at the time of writing, businesses across Europe are scrambling to ensure they are compliant. For many, this will include the appointment of a data protection officer (DPO), an independent expert tasked with a host of data-related tasks, including monitoring internal compliance and acting as a contact point to the supervisory authority.

While not all companies require a DPO, public authorities and companies that engage in large-scale processing of individuals or certain data categories as a core part of their business do. Many others are opting to voluntarily appoint a DPO to aid in their on-going compliance with the complex world of GDPR.

“There are two brackets people fall into: those who mandatorily have to have a DPO and secondly those who choose to do it,” says Andy Miles, founder and CEO of cyber and information security services provider ThinkMarble. “I highly commend, and we at ThinkMarble highly commend, people who choose to do it, because we think it is best practice.”

As a result, there has been a sharp growth in the number of DPO positions, some which are being filled by existing employees and others being taken on by new recruits. However, with so many roles to fill, not only are some companies inevitably struggling to find suitably expert candidates, but some of those appointed are simply not up to the task.

For some companies, however, there is another solution, in the form of a virtual data protection officer (VDPO). A service now offered by a number of companies including ThinkMarble, a VDPO is not – as some may assume – a piece of software, but part of an emerging group of cybersecurity-as-a-service products. While a DPO is typically in-house, a VDPO is access to a team of external experts, who take on all the tasks of a DPO for a monthly fee.

The data protection officer and GDPR: the value in the role

While many companies are legally required to appoint a DPO as part of their compliance with GDPR, others are opting to do so to ensure they are following best-practice. However, it is important that companies do not see the position as an easy solution to total GDPR compliance.

“Having a DPO in any format is not the be all and end all,” explains Robert Wassall, data protection lawyer and head of legal services at ThinkMarble. “The DPO's role – whether it's in-house, whatever format – is not there to alleviate the organisation of any obligation or responsibility. The DPO's role is to guide the organisation in terms of compliance.”

However, the DPO is there to oversee data protection, and ensure that the organisation is continuing compliance once GDPR comes into force on the 25th May.

“A primary part of the DPO's role is to keep the organisation on the right side of the tracks.”

“A primary part of the DPO's role is to keep that organisation on the right side of the tracks. They're there to make sure that they have got things in place, and, if not, to make sure they put things in place, and then also to monitor what things they have put in place on a regular basis to ensure that those arrangements are still valid,” says Wassall.

“What I think many organisations might be at risk of doing is going to some time and trouble to get themselves ready for the GDPR, and then having done so, take the view: 'well that's it now, we're all sorted as it were' and do very little, if anything, subsequently.

“Obviously as time goes on, whatever they've put in place may be less watertight. And things will always be capable of improvement anyway. So GDPR is to make sure that they not only get ready but stay ready.”

While here in the UK the DPO position is relatively novel, Wassall anticipates that in time GDPR will drive it to become a staple executive position.

“We have no history, really, with it except for a handful of firms, of having DPOs in the UK, whereas they are quite common already in Germany, for example. So I think that for the UK we're on the cusp of a new profession emerging, and I think that in a few years’ time any self-respecting company will have a DPO of some description,” he says. “I think it will be the normal thing to; it will be an omission not to have one.”

DPOs that shouldn’t be DPOs: when an employee isn’t the right answer

While having a DPO is now becoming increasingly prevalent, that doesn’t mean everyone who is currently being appointed as a DPO is suited to the position. In particular, given the legal need for a DPO to be a genuine expert on data protection, some of those setting themselves up to be hired as DPOs are not up to the standard they should be.

“I council extreme caution to those who appoint a DPO or one of these recently approved GDPR practitioners who has been on a recent course and what we've found is there's a number of people, for example, on LinkedIn : 'I'm now a GDPR practitioner, I could be your DPO'. Well they can't, because they're not subject matter experts,” says Miles.

“I think a number of companies are making grave mistakes where they think they're doing the right thing when actually they're not.”

Even if the person in question is a true subject matter expert, hiring someone exclusively for the role adds, as Wassall puts it, “a fairly significant chunk to the payroll”, and for many organisations having someone as a full-time DPO is overkill. As a result, many companies are instead looking at training up an existing member of staff to take on the DPO roll in addition to other responsibilities. However, this comes with its own issues.

“If they wish to take an existing employee, which I know that some organisations are doing, they need to ask themselves this question: does this person have the ability to be changed – transformed, I'm almost tempted to say – from whatever it is they are into a DPO, bearing in mind a DPO has to be an expert on data protection,” he adds.

“The likelihood is that no existing employee will have that expertise, so how were they going to acquire that in any meaningful sense? And given that they're an existing employee, then they've got a job to do, so therefore how are they going to carry out the job they were employed to do and be the DPO at the same time? It's very difficult for me to see how any existing employee, no matter what their job title may be, is likely to be able to fulfill that role that they were originally employed to do and be the DPO.”

“I think a number of companies are making grave mistakes where they think they're doing the right thing when actually they're not.”

It is also important to be aware that there are those that simply cannot take on the role of DPO in addition to their current role, which makes the band of employees suitable for the position relatively small.

“It's clear from the guidance that has been issued that certain people by their role in the firm cannot be a DPO, for example people who are basically at the top end of the firm, the CEO, the directors, the heads of IT, the heads of HR,” he says. “Even if they otherwise would have the required levels of expertise, by their role in that organisation they would be disqualified in effect from being a DPO.

“So in other words to have an existing person as a DPO would probably require someone to be fairly – relatively speaking – junior in the firm. But one of the qualities and one of the points of having a DPO is someone who is independently minded and is able and willing to address what could be thorny issues with senior management, and I think it's going to be a struggle for anyone who is an existing employee, especially in a junior position, to fulfill that role very effectively.”

The virtual alternative: a data protection officer as a service

For some companies, then, the growing selection of virtual data protection officers may prove to be a better option, providing access to a team with long-established experience of data protection law – 35 years in the case of Wassall and his team – with far lower costs than a full-time employee.

Pitched at small and medium-sized enterprises, and with clients already using the service including premiership football clubs and pharmaceutical companies, ThinkMarble’s offering covers several services, across both day-to-day operations and occasional requirements, such as the preparation of data protection impact assessments and incident response tasks.

“We would be fulfilling all the tasks that the GDPR requires a DPO to do,” summarises Wassall.

“We provide a monthly live webinar to all our clients, so that would be an opportunity for them to be updated, to be educated, to be trained on whatever is going on, and we would expect those webinars to be very, very topical.

“Above and beyond that they would have the means to contact us, certainly in the event of a data security breach – obviously that would be instant access – and to ask any queries on more routine matters. We would offer an annual monitoring service, so we would check their policies and procedures and other things that they have in place as required by the GDPR.”

“We would be fulfilling all the tasks that the GDPR requires a DPO to do.”

In a breach situation, this role becomes particularly important, as under GDPR a company has just 72 hours to notify the supervisory authority once a breach is discovered.

“If they suffer a breach, whether that's a paper breach or an electronic breach, we will work with and liaise with the appropriate authorities, in the UK that being the ICO,” adds Miles. “Robert and his team will be the interface into that organisation.

“We'll also cover off data privacy impact assessments. So, for example, if they were to deploy CCTV across their business or do out a new CRM system in there, that's where the DPO would come in. Then the other side of the business would then make sure that they've got the appropriate organisational technical controls in place to comply with the GDPR, whether that be penetration testing of their systems or whatever recommendations that the DPO makes.”

Outsourcing leadership: beyond the VDPO

With so many SMEs needing to or looking to hire a DPO, the market for a VDPO is significant, and for many it will prove a more cost-effective yet appropriate choice. However, for ThinkMarble, it is just the first stage in a wider trend of experts-as-a-service offerings that is set to unfold in the coming years.

“As a business owner and a leader I outsource, and you always outsource to the very best experts you can,” says Miles.

“We see that market growing, and at the moment we offer a virtual CSO – chief information security officer – role, so we give small-medium enterprises and larger corporates that service as well. I do see an absolute growth in that sector.”

PR nightmares: Ten of the worst corporate data breaches

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang